SELinux issue
by Newman, Stuart J. (GSFC-428.0)[HONEYWELL TECHNOLOGY SOLUTIONS INC]
cobbler.noarch 2.2.2-1.el6
After running cobbler check, I get the following from sealer.
SELinux is preventing /usr/sbin/getsebool from read access on the directory /selinux/booleans/.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that getsebool should be allowed read access on the directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep getsebool /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:cobblerd_t:s0
Target Context system_u:object_r:security_t:s0
Target Objects /selinux/booleans/ [ dir ]
Source getsebool
Source Path /usr/sbin/getsebool
Port <Unknown>
Host fiat
Source RPM Packages libselinux-utils-2.0.94-5.2.el6
Target RPM Packages
Policy RPM selinux-policy-3.7.19-126.el6_2.10
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name fiat
Platform Linux fiat 2.6.32-220.13.1.el6.x86_64 #1 SMP Thu
Mar 29 11:46:40 EDT 2012 x86_64 x86_64
Alert Count 1
First Seen Thu 19 Apr 2012 09:11:21 AM EDT
Last Seen Thu 19 Apr 2012 09:11:21 AM EDT
Local ID 7c9ae146-bcf5-4ea1-b33d-c49f914ef04c
Raw Audit Messages
type=AVC msg=audit(1334841081.897:37262): avc: denied { read } for pid=11168 comm="getsebool" name="booleans" dev=selinuxfs ino=21 scontext=system_u:system_r:cobblerd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=dir
type=SYSCALL msg=audit(1334841081.897:37262): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff7436be20 a1=90800 a2=7f0a6587b260 a3=7fff7436bb80 items=2 ppid=1989 pid=11168 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=getsebool exe=/usr/sbin/getsebool subj=system_u:system_r:cobblerd_t:s0 key=(null)
type=CWD msg=audit(1334841081.897:37262): cwd=/
type=PATH msg=audit(1334841081.897:37262): item=0 name=/selinux/booleans/ inode=21 dev=00:0e mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:security_t:s0
type=PATH msg=audit(1334841081.897:37262): item=1 name=/selinux/booleans/ inode=21 dev=00:0e mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:security_t:s0
Hash: getsebool,cobblerd_t,security_t,dir,read
audit2allow
#============= cobblerd_t ==============
allow cobblerd_t security_t:dir read;
audit2allow -R
#============= cobblerd_t ==============
allow cobblerd_t security_t:dir read;
The output of cobbler check is:
[root@fiat Desktop]# cobbler check
The following are potential configuration items that you may want to fix:
1 : you need to set some SELinux content rules to ensure cobbler serves content correctly in your SELinux environment, run the following: /usr/sbin/semanage fcontext -a -t public_content_t "/var/lib/tftpboot/.*" && /usr/sbin/semanage fcontext -a -t public_content_t "/var/www/cobbler"/images/.*
2 : you need to set some SELinux rules if you want to use cobbler-web (an optional package), run the following: /usr/sbin/semanage fcontext -a -t httpd_sys_content_rw_t "/var/lib/cobbler/webui_sessions/.*"
3 : Apache (httpd) is not installed and/or in path
4 : debmirror package is not installed, it will be required to manage debian deployments and repositories
5 : The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'" to generate new one
6 : fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use them
Items 1,2 and 3 disappear when I change SELinux to permissive
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Stuart J. Newman
Engineer 4; Systems
Solar Dynamics Observatory (SDO)
Honeywell Technology Solutions Inc
NASA/Goddard Space Flight Center
Building 14, Room E222
Mail Stop 428.2
Greenbelt, MD 20771
Office: (301) 286-5145
EMail: Stuart.J.Newman(a)nasa.gov<mailto:Stuart.J.Newman@nasa.gov>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.